BETA


Events

2022/12/18
   BG_PARLIAMENT - Contribution
Documents
2022/12/16
   EP - LØKKEGAARD Morten (Renew) appointed as rapporteur in IMCO
2022/11/13
   CZ_CHAMBER - Contribution
Documents
2022/11/09
   EDPS - Document attached to the procedure
2022/11/09
   EP - Committee referral announced in Parliament, 1st reading
2022/10/26
   EP - DANTI Nicola (Renew) appointed as rapporteur in ITRE
2022/09/15
   EC - Document attached to the procedure
2022/09/15
   EC - Document attached to the procedure
Documents
2022/09/15
   EC - Document attached to the procedure
2022/09/15
   EC - Legislative proposal published
Details

PURPOSE: to lay down a horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements.

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021. Such products suffer from two major problems adding costs for users and the society: (i) a low level of cybersecurity , reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and (ii) an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner. In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes. This can lead to severe disruption of economic and social activities or even become life threatening.

While the existing Union legislation applies to certain products with digital elements, there is no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. It is therefore necessary to lay down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market.

CONTENT: with this proposal, the Commission seeks to lay down horizontal cybersecurity rules which are not specific to sectors or certain products with digital elements.

Subject matter

Based on the new legislative framework for product legislation in the EU, the proposal establishes:

- rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;

- essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity;

- essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes;

- rules on market surveillance and enforcement of the above-mentioned rules and requirements.

Scope

The draft Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. It will not apply to products for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars .

Objectives

It has two main objectives aiming to ensure the proper functioning of the internal market:

- create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle;

- create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

Obligations for manufacturers, importers and distributors

Obligations would be set up for economic operators, starting from manufacturers, up to distributors and importers, in relation to the placement on the market of products with digital elements, as adequate for their role and responsibilities on the supply chain.

The essential cybersecurity requirements and obligations mandate that all products with digital elements shall only be made available on the market if, where dully supplied, properly installed, maintained and used for their intended purpose or under conditions, which can be reasonably foreseen, they meet the essential cybersecurity requirements set out in this draft Regulation.

The essential requirements and obligations would mandate manufacturers to factor in cybersecurity in the design and development and production of the products with digital elements, exercise due diligence on security aspects when designing and developing their products, be transparent on cybersecurity aspects that need to be made known to customers, ensure security support (updates) in a proportionate way, and comply with vulnerability handling requirements.

Notification of conformity assessment bodies

Proper functioning of notified bodies is crucial for ensuring a high level of cybersecurity and for the confidence of all interested parties. Therefore, the proposal sets out requirements for national authorities responsible for conformity assessment bodies (notified bodies). Member States will designate a notifying authority that will be responsible for setting up and carrying out the necessary procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies.

Conformity assessment process

Manufacturers should undergo a process of conformity assessment to demonstrate whether the specified requirements relating to a product have been fulfilled. Where compliance of the product with the applicable requirements has been demonstrated, manufacturers and developers would draw up an EU declaration of conformity and will be able to affix the CE marking.

Market surveillance

Member States should appoint market surveillance authorities , which would be responsible for enforcing the Cyber Resilience Act obligations.

In case of non-compliance, market surveillance authorities could require operators to bring the non-compliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled. Each of these authorities will be able to fine companies that don't adhere to the rules.

Application

To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the proposed Regulation will become applicable 24 months after its entry into force, except for the reporting obligation on manufacturers, which would apply from 12 months after the date of entry into force.

Documents

  • Contribution: COM(2022)0454
  • Contribution: COM(2022)0454
  • Document attached to the procedure: OJ C 452 29.11.2022, p. 0023
  • Document attached to the procedure: N9-0088/2022
  • Document attached to the procedure: EUR-Lex
  • Document attached to the procedure: SEC(2022)0321
  • Document attached to the procedure: SWD(2022)0282
  • Document attached to the procedure: EUR-Lex
  • Document attached to the procedure: SWD(2022)0283
  • Legislative proposal published: COM(2022)0454
  • Legislative proposal published: EUR-Lex
  • Document attached to the procedure: EUR-Lex SEC(2022)0321
  • Document attached to the procedure: SWD(2022)0282
  • Document attached to the procedure: EUR-Lex SWD(2022)0283
  • Document attached to the procedure: OJ C 452 29.11.2022, p. 0023 N9-0088/2022
  • Contribution: COM(2022)0454
  • Contribution: COM(2022)0454

History

(these mark the time of scraping, not the official date of the change)

committees/0/shadows/4
name
BOTENGA Marc
group
The Left group in the European Parliament - GUE/NGL
abbr
GUE/NGL
committees/1
Old
type
Committee Opinion
body
EP
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
associated
False
New
type
Committee Opinion
body
EP
committee_full
Internal Market and Consumer Protection
committee
IMCO
associated
False
rapporteur
name: LØKKEGAARD Morten date: 2022-12-16T00:00:00 group: Renew Europe group abbr: Renew
committees/2
Old
type
Committee Opinion
body
EP
committee_full
Internal Market and Consumer Protection
committee
IMCO
associated
False
rapporteur
name: LØKKEGAARD Morten date: 2022-12-16T00:00:00 group: Renew Europe group abbr: Renew
New
type
Committee Opinion
body
EP
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
associated
False
docs/4
date
2022-11-13T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
CZ_CHAMBER
docs/4
date
2022-12-18T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
BG_PARLIAMENT
docs/0
date
2022-09-15T00:00:00
docs
summary
type
Legislative proposal
body
EC
events/0
date
2022-09-15T00:00:00
type
Legislative proposal published
body
EC
docs
summary
committees/1/rapporteur
  • name: LØKKEGAARD Morten date: 2022-12-16T00:00:00 group: Renew Europe group abbr: Renew
docs/0
date
2022-09-15T00:00:00
docs
summary
type
Legislative proposal
body
EC
events/0
date
2022-09-15T00:00:00
type
Legislative proposal published
body
EC
docs
summary
committees/0
type
Responsible Committee
body
EP
committee_full
Industry, Research and Energy
committee
ITRE
associated
False
rapporteur
name: DANTI Nicola date: 2022-10-26T00:00:00 group: Renew Europe group abbr: Renew
shadows
committees/0
type
Responsible Committee
body
EP
committee_full
Industry, Research and Energy
committee
ITRE
associated
False
rapporteur
name: DANTI Nicola date: 2022-10-26T00:00:00 group: Renew Europe group abbr: Renew
shadows
docs/3
date
2022-11-09T00:00:00
docs
type
Document attached to the procedure
body
EDPS
docs/3
date
2022-11-13T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
CZ_CHAMBER
docs/3
date
2022-11-13T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2022)0454 title: COM(2022)0454
type
Contribution
body
CZ_CHAMBER
events/1
date
2022-11-09T00:00:00
type
Committee referral announced in Parliament, 1st reading
body
EP
procedure/dossier_of_the_committee
  • ITRE/9/10122
procedure/stage_reached
Old
Preparatory phase in Parliament
New
Awaiting committee decision
commission
  • body: EC dg: Communications Networks, Content and Technology commissioner: BRETON Thierry
committees/0/shadows/2
name
CORRAO Ignazio
group
Group of the Greens/European Free Alliance
abbr
Verts/ALE
procedure/Legislative priorities
  • title: Joint Declaration 2022 url: https://oeil.secure.europarl.europa.eu/oeil/popups/thematicnote.do?id=41360&l=en
procedure/title
Old
Horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act)
New
Cyber Resilience Act
committees/0/rapporteur
  • name: DANTI Nicola date: 2022-10-26T00:00:00 group: Renew Europe group abbr: Renew
committees/0/shadows/0
name
VIRKKUNEN Henna
group
Group of European People's Party
abbr
EPP
committees/0/shadows
  • name: KAILI Eva group: Group of Progressive Alliance of Socialists and Democrats abbr: S&D
  • name: TOŠENOVSKÝ Evžen group: European Conservatives and Reformists Group abbr: ECR
docs/0/docs/0
url
https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=EN&type_doc=SECfinal&an_doc=2022&nu_doc=0321
title
EUR-Lex
docs/0
date
2022-09-15T00:00:00
docs
type
Legislative proposal
body
EC
events/0/summary
  • PURPOSE: to lay down a horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements.
  • PROPOSED ACT: Regulation of the European Parliament and of the Council.
  • ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
  • BACKGROUND: hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021. Such products suffer from two major problems adding costs for users and the society: (i) a low level of cybersecurity , reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and (ii) an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner. In a connected environment, a cybersecurity incident in one product can affect an entire organisation or a whole supply chain, often propagating across the borders of the internal market within a matter of minutes. This can lead to severe disruption of economic and social activities or even become life threatening.
  • While the existing Union legislation applies to certain products with digital elements, there is no horizontal Union regulatory framework establishing comprehensive cybersecurity requirements for all products with digital elements. It is therefore necessary to lay down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the Union market.
  • CONTENT: with this proposal, the Commission seeks to lay down horizontal cybersecurity rules which are not specific to sectors or certain products with digital elements.
  • Subject matter
  • Based on the new legislative framework for product legislation in the EU, the proposal establishes:
  • - rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;
  • - essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity;
  • - essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes;
  • - rules on market surveillance and enforcement of the above-mentioned rules and requirements.
  • Scope
  • The draft Regulation applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. It will not apply to products for which cybersecurity requirements are already set out in existing EU rules, for example on medical devices, aviation or cars .
  • Objectives
  • It has two main objectives aiming to ensure the proper functioning of the internal market:
  • - create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle;
  • - create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
  • Obligations for manufacturers, importers and distributors
  • Obligations would be set up for economic operators, starting from manufacturers, up to distributors and importers, in relation to the placement on the market of products with digital elements, as adequate for their role and responsibilities on the supply chain.
  • The essential cybersecurity requirements and obligations mandate that all products with digital elements shall only be made available on the market if, where dully supplied, properly installed, maintained and used for their intended purpose or under conditions, which can be reasonably foreseen, they meet the essential cybersecurity requirements set out in this draft Regulation.
  • The essential requirements and obligations would mandate manufacturers to factor in cybersecurity in the design and development and production of the products with digital elements, exercise due diligence on security aspects when designing and developing their products, be transparent on cybersecurity aspects that need to be made known to customers, ensure security support (updates) in a proportionate way, and comply with vulnerability handling requirements.
  • Notification of conformity assessment bodies
  • Proper functioning of notified bodies is crucial for ensuring a high level of cybersecurity and for the confidence of all interested parties. Therefore, the proposal sets out requirements for national authorities responsible for conformity assessment bodies (notified bodies). Member States will designate a notifying authority that will be responsible for setting up and carrying out the necessary procedures for the assessment and notification of conformity assessment bodies and the monitoring of notified bodies.
  • Conformity assessment process
  • Manufacturers should undergo a process of conformity assessment to demonstrate whether the specified requirements relating to a product have been fulfilled. Where compliance of the product with the applicable requirements has been demonstrated, manufacturers and developers would draw up an EU declaration of conformity and will be able to affix the CE marking.
  • Market surveillance
  • Member States should appoint market surveillance authorities , which would be responsible for enforcing the Cyber Resilience Act obligations.
  • In case of non-compliance, market surveillance authorities could require operators to bring the non-compliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled. Each of these authorities will be able to fine companies that don't adhere to the rules.
  • Application
  • To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the proposed Regulation will become applicable 24 months after its entry into force, except for the reporting obligation on manufacturers, which would apply from 12 months after the date of entry into force.